Wednesday, January 05, 2011

“Prying by a Former Bureaucrat”

As I’ve noted in earlier posts, a provision of 18 U.S. Code § 1030, the general federal computer crime statute, makes it a federal crime to access a computer “without authorization” or by “exceed[ing] authorized access” if certain conditions are met.

The provision in question is 18 U.S. Code § 1030(a)(2), which makes it a crime to access information held by a financial institution (§ 1030(a)(2)(A)), a “department or agency of the United States” (§ 1030(a)(2)(B)) or “protected computer” (§ 1030(a)(2)(C)). Most of the posts I’ve done that deal with § 1030(a)(2) focused on the third crime, i.e., the § 1030(a)(2)(C) offense, simply because it applies essentially to any networked computer. There tend to be more cases involving “protected computers” than involving financial institutions or government computers.

This post, however, is about someone who was charged with violating § 1030(a)(2)(B). The case is U.S. v. Rodriguez, __ F.3d __, 2010 WL 5253231 (U.S. Court of Appeals for the 11th Circuit 2010), and this is how it arose:

From 1995 to 2009, Roberto Rodriguez worked as a TeleService representative for the Social Security Administration. [His] duties included answering questions of the general public about social security benefits over the telephone. As part of his duties, [he] had access to Administration databases that contained sensitive personal information, including any person's social security number, address, date of birth, father's name, mother's maiden name, amount and type of social security benefit received, and annual income.

The Administration established a policy that prohibits an employee from obtaining information from its databases without a business reason. The Administration informed its TeleService employees about its policy through mandatory training sessions, notices posted in the office, and a banner that appeared on every computer screen daily. The Administration also required TeleService employees annually to sign acknowledgment forms after receiving the policies in writing. The Administration warned employees that they faced criminal penalties if they violated policies on unauthorized use of databases. From 2006 to 2008, Rodriguez refused to sign the acknowledgment forms. He asked a supervisor rhetorically, `Why give the government rope to hang me?’ To monitor access and prevent unauthorized use, the Administration issued unique personal identification numbers and passwords to each TeleService employee and reviewed usage of the databases.

In August 2008, the Administration flagged Rodriguez's personal identification number for suspicious activity. Administration records established that [he] had accessed the personal records of 17 different individuals for nonbusiness reasons. The Administration informed Rodriguez that it was conducting a criminal investigation into his use of the databases, but [he] continued his unauthorized use. None of the 17 victims knew that Rodriguez had obtained their personal information without authorization until investigators informed them of his actions.

U.S. v. Rodriguez, supra. Among Rodriguez’s victims were his ex-wife (he checked to see how much “she was earning”), a woman who lived with him for 4 years, a woman who worked with Rodriguez at a post office in 1999 and the following:

Dana Fennell, a professor of sociology from Mississippi, . . . met Rodriguez at a Unitarian Universalist church study group when she was visiting her parents in Florida. Fennell interviewed Rodriguez for a study on the health effects of religion. . . . After [she] returned to her home in Mississippi, she received flowers from Rodriguez on Valentine's Day even though she had not given [him] her address. [He] later arrived at Fennell's doorstep unannounced, and [she] was surprised and frightened by his presence. On another occasion, Rodriguez mentioned Fennell's father's birthday to [her] though she had never mentioned her father to [him]. . . . Rodriguez accessed Fennell's personal information on Administration databases 65 times, and he accessed the personal information of Fennell's mother and father multiple times.

Jessica Fox also met Rodriguez at the church study group. . . . [She] received a letter from [him] at home and was shocked because she had not given [him] her address. . . . Rodriguez accessed Fox's personal information 45 times.

Based on all this, a grand jury indicted Rodriguez on “17 misdemeanor counts of violating” 18 U.S. Code § 1030(a)(2)(B). U.S. v. Rodriguez, supra. He went to trial, was convicted and appealed. U.S. v. Rodriguez, supra. This, if you’re interested, was his defense:

During opening statement, Rodriguez's attorney conceded that [he] `access[ed] things that were unauthorized.’ Rodriguez testified in his defense and admitted accessing the personal information of the victims. [He said] he accessed the personal information as part of a whistle-blowing operation to test whether his unauthorized use of the databases would trigger the attention of the Administration because he was conducting an investigation into improper denials of disability benefits. [He] admitted he did not access the victims' records as a part of his duties as a TeleService representative.

U.S. v. Rodriguez, supra.

On appeal, Rodriguez argued that “he did not violate § 1030(a)(2)(B) because he accessed only databases that he was authorized to use as a TeleService representative”. U.S. v. Rodriguez, supra. The Court of Appeals found that his argument

ignores both the law and the record. The Computer Fraud and Abuse Act makes it a crime to `intentionally access[ ] a computer without authorization or exceed[ ] authorized access, and thereby obtain[ ] information from any department or agency of the United States.’ 18 U.S. Code § 1030(a)(2)(B). The Act defines the phrase `exceeds authorized access’ as `to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.’ 18 U.S. Code § 1030(e)(6).

The policy of the Administration is that use of databases to obtain personal information is authorized only when done for business reasons. Rodriguez conceded at trial that his access of the victims' personal information was not in furtherance of his duties as a TeleService representative and that `he did access things that were unauthorized.’ In the light of this record, the plain language of the Act forecloses any argument that Rodriguez did not exceed his authorized access.

U.S. v. Rodriguez, supra.

Rodriguez relied on a decision of the U.S. Court of Appeals for the 9th Circuit – LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (2009) – as support for his interpretation of what “exceeds authorized access” means. (As I’ve noted in earlier posts, 18 U.S. Code § 1030 allows victims of activity that violates its provisions to bring a civil suit against the victimizer; that’s what the Brekka case was.)

In that case, the 9th Circuit held that Brekka had not violated § 1030(a)(2)(C) when “he emailed documents he was authorized to obtain to his personal email account” because the treatment center he worked for did not have a policy prohibiting such conduct. U.S. v. Rodriguez, supra. The 11th Circuit explained that Brekka didn’t apply here because the Social Security Administration “told Rodriguez he was not authorized to obtain personal information for nonbusiness reasons.” U.S. v. Rodriguez, supra.

Rodriguez also argued that “his conviction cannot stand because he never used the personal information he accessed without authorization to defraud anyone or to gain financially,” but the 11th Circuit found that this argument “is foreclosed by the plain language of the [Computer Fraud and Abuse] Act.” U.S. v. Rodriguez, supra. The Court of Appeals explained found that his “argument is foreclosed by the plain language of the Act.” U.S. v. Rodriguez, supra.

As I explained in an earlier post, § 1030(c)(2)(B) defines the circumstances under which a violation of § 1030(a)(2) is a felony. And as the 11th Circuit explained in ruling on Rodriguez’s fraud/financial gain argument,

Sections 1030(c)(2)(B)(i) and (ii) of the [Computer Fraud and Abuse] Act provide a punishment of up to five years of imprisonment if `the offense was committed for purposes of commercial advantage or private financial gain [or] . . . was committed in furtherance of any criminal or tortious act.’ 18 U.S. Code § 1030(c)(2)(B)(i), (ii). The misdemeanor penalty provision of the Act . . . was convicted does not contain any language regarding purposes for committing the offense. See 18 U.S. Code § 1030(c)(2)(B). [His] argument would eviscerate the distinction between these misdemeanor and felony provisions. That Rodriguez did not use the information to defraud anyone or gain financially is irrelevant.

U.S. v. Rodriguez, supra.

The Court of Appeals therefore upheld Rodriguez’s conviction and his sentence . . . which, if you were wondering, was “12 months of imprisonment.” U.S. v. Rodriguez, supra. Rodriguez argued “that the sentence . . . is unreasonable because he is 54 years old, he has no prior criminal history, the offense was nonviolent, and he has already lost his job as a result of his actions”, but the court disagreed. U.S. v. Rodriguez, supra. It held that the district court judge, who sentenced Rodriguez, was entitled to find that the sentence was appropriate given “the number of victims and the extensive nature of Rodriguez’s unauthorized access.” U.S. v. Rodriguez, supra. It also noted that while “Rodriguez did not use the information he obtained to commit another crime, he used the information in a manner unwelcomed by his victims.” U.S. v. Rodriguez, supra.

As Wikipedia notes, the U.S. “federal government generally considers a crime punishable with incarceration for one year or less to be a misdemeanor.” As Wikipedia also notes, this means misdemeanors are “typically crimes with a maximum punishment of 12 months of incarceration”, so it looks like the judge gave Rodriguez the maximum sentence he could impose for the crime of which he was convicted.

(If you’re wondering about the title of this post, it comes from the opinion: “The main issue in this appeal is whether the prying boy a former bureaucrat is criminal”. U.S. v. Rodriguez, supra.)